SE-PostgreSQL for Fedora (Re: Guideline for RPM packages)
KaiGai Kohei
kaigai at kaigai.gr.jp
Thu Jul 26 16:25:04 UTC 2007
By the way, I'm seeking sponsors who can review SE-PostgreSQL package.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=249522
If you can volunteer the reviewing process, please contact me.
Thanks,
>>>> If I remember correctly, someone posted a guideline to make
>>>> a RPM package which contains binary security policy, several
>>>> weeks ago.
>>>>
>>>> If you know the URL, would you tell me the location?
>>> There is a draft guide at:
>>> http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules
>> Thanks, so much!
>
> I have a comment for the Policy Module Packaging Guideline.
>
> The document says every *.pp files should be installed for any sort of policies
> (targeted, strict, mls) in the %post section.
> However, it can cause a problem when a part of policies are not installed yet.
>
> When we try to install an application including policy package on the system
> which has only targeted policy, installation of *.pp files for strict/mls will
> be failed no need to say.
> If we want to install selinux-policy-strict or -mls later, the oraphan *.pp files
> are not linked automatically because "/usr/bin/semodule -i" is not invoked.
> It will cause a simple problem, but a bit difficult to find out.
>
> I have an idea that uses "%triggerin" to invoke "/use/bin/semodule -i" to link
> orphan *.pp files on instllation of selinux-policy-* packages later, as follows:
>
> ----------------
> %triggerin -- selinux-policy-targeted
> if [ $0 -eq 1 ]; then
> /usr/sbin/semodule -s targeted -i %{_datadir}/selinux/targeted/mymodule.pp &> /dev/null || :
> fi
> %triggerin -- selinux-policy-strict
> if [ $0 -eq 1 ]; then
> /usr/sbin/semodule -s strict -i %{_datadir}/selinux/strict/mymodule.pp &> /dev/null || :
> fi
> %triggerin -- selinux-policy-mls
> if [ $0 -eq 1 ]; then
> /usr/sbin/semodule -s mls -i %{_datadir}/selinux/mls/mymodule.pp &> /dev/null || :
> fi
> ----------------
>
> If the application is installed on the system which already has selinux-policy-strict,
> "%triggerin -- selinux-policy-strict" will be invoked just when the application is
> installed, so there is no degrading.
>
> Thanks,
--
KaiGai Kohei <kaigai at kaigai.gr.jp>
More information about the fedora-selinux-list
mailing list